The Hidden problems with Payment Card Security Technologies and PCI

The Hidden problems with Payment Card Security Technologies and PCI

by Avivah Litan

Ever since the high profile payment card data breaches, we have been getting lots of client inquiries around payment card security technologies — point-to-point encryption, tokenization and EMV. The first two technologies are being widely adopted by many U.S. companies, especially since nothing else seems to be working at keeping the bad guys out.

For example, Stage retail stores just announced adoption of Ingenico’s Point to Point encryption (P2PE) solution for its 900 stores. (See Ingenico press release from January 11, 2015). Other technology providers like Voltage and Verifone have had similar success in selling large P2PE solution sets. For example Voltage sold P2PE to Home Depot, although it was installed too late to stop the infamous breach.

Ingenico, like other card reader vendors who support P2PE solutions, also supports EMV. Stage’s announcement reflects a trend Gartner sees amongst its client base – that is merchants have to upgrade their POS equipment to support EMV in the future because of the October 2015 liability shift –so while they are it they choose card reader equipment that can support both EMV and P2PE. Not surprisingly, they turn on P2PE first. (See our research “Visa’s Long-Overdue U.S. EMV Move Will Improve Security, but Do Little to Alleviate PCI Compliance Work” for more information” for more information on the EMV liability shift).

P2PE can usually be turned on within 3 months if the solution uses remote key injection and management. Physically injecting keys into each card reader in a ‘safe room’ under its own ‘lock and key’ obviously takes much longer. Once deployed, P2PE can help protect all card transactions against data breaches. Retailers Gartner speaks with say they will turn on EMV acceptance “later”. They rightfully view EMV as mainly helping the card brands and issuers although when EMV becomes ubiquitous it will help everyone. For now, most merchants and payment card acceptors are not motivated by the October 2015 liability shift since according to U.S. retailers, as of October 2014 less than one percent of U.S. payment cards have chips in them even though some 20% of merchant terminals can already accept them.

But merchants and payment acceptors don’t have many PCI certified P2PE solutions to choose from. In fact they only have six in total (see PCI website). In our just published research note “Avoid Pitfalls with Payment Card Security Technologies and PCI” we point out the various pitfalls that accompany P2PE solutions, tokenization and EMV.In Summary:

• Many P2PE solutions that encrypt data on card swipe are not yet PCI-certified, leaving payment acceptors questioning their adoption.

• EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations.

Our research note delves into these obscure issues and after collaborating extensively with various industry participants, we recommend measures that merchants and other payment card acceptors can use to address them. We also warn our clients to beware of ‘one off deals’ that payment processors are offering merchants with regards to limited PCI audits in exchange for signing up for their non-PCI certified P2PE solutions. There’s probably no easier way to get your company locked into a payment processor, should you accept such a ‘deal.’ It is incumbent on the PCI Security Council to accelerate the P2PE solution certification process so that innovation can bloom. This will give everyone the freedom to choose the best possible solutions around. …read more